CODEWITHSUNDEEP
c#asp.netsqlsql-serverstored-procedures
user3705625
user3705625

Reputation:

Sql injection on stored procedure

I am trying to do sql injection on my stored procedure through login form. Here is my stored procedure

CREATE proc [dbo].[sp_ADM_Login] 
    @loginName varchar(25),
    @password varchar(100)
)

AS

select
    l.LoginId,
    l.LoginName,
    l.LoginType,
    l.RG_cCode,
    dbo.GetUserName(l.UserDetailsCode, l.LoginType) as [Name],
    isnull(l.DefBranchId, 0) as BranchId,
l.DefBranchCode as branchCode,
l.LoginCode as loginCode
from   
    ADM_Login l 
where  
    LoginName = @loginName and
    [Password] = @password and
    l.IsActive = 1

I tried giving user name to user' or 1=1-- But it doesn't work. Is it possible to do sql injection in this code?

To executing store procedure, Here is C# code

Database db = DatabaseFactory.CreateDatabase("ConnectionString");
    DbCommand cmd = db.GetStoredProcCommand("sp_ADM_Login");
    db.AddInParameter(cmd, "@loginName", DbType.String, loginName);
    db.AddInParameter(cmd, "@password", DbType.String, password);
    DbDataReader dr = (DbDataReader)db.ExecuteReader(cmd);

Upvotes: 2

Views: 2452

Answers (2)

Anders Abel
Anders Abel

Reputation: 69260

No, it isn't possible to do SQL injection with properly parameterized queries, as long as you call them from your C# code with parameters. If you format an EXEC sp_ADM_login... SQL string by yourself you are vulnerable.

With the C# code using proper parameters as you do you are totally safe. Any strange values will be properly escaped.

Upvotes: 5

Szymon
Szymon

Reputation: 43023

It's not possible to do SQL injection when you are using parameters to pass information to your stored procedure from the code.

SQL Injection can happen if you concatenate queries from string parts and not use parameters.

Upvotes: 3

Related Questions